Tuesday, July 14, 2015

The RDS team did a great blog post on using the RDS Deployment template for Azure Resource Manager. Azure Resource Manager enables you to work with the resources joined as a group and allows you to deploy, update or delete all of the resources for your purpose in a single, coordinated operation. Using a Azure Resource Manager Template you can very easily setup a environment (in this case RDS) and deploy that as a group of resources. Azure Resource Manager is the Management API layer for the future Microsoft Cloud!

I took the RDS template for a test-drive, the result was pretty impressive. A full RDS deployment up & running!

This is what the template creates for you:

VNET

New storage account

Public IP resource

Load Balancer resource, including the correct ports opened

VM for Active Directory and DNS server roles

VM for RD Gateway and RD Web Access server roles

VM for RD Connection Broker and RDS License server roles

VMs for RD Session Host (RDSH) servers.

A Basic ADDS deployment

A RDS Full Desktop Deployment, incl. RD Gateway, Licensing etc.

After the Azure Resource Manager template deployment finishes, you end up with a working RDS deployment, accessible from the outside, ready to do testing for a POC, testing customizations etc.

The only thing not configured is obviously SSL certificates. Which means you will end up with a self signed certificate. This can however be changes easily by providing the SSL certificate in the RDMS on the RD Connection Broker server.

Obviously this is not production ready, but what’s also cool about Azure Resource Manager Templates in general is that you can create your customized template, for example basing it on the one for RDS that’s being provided and start building your own template.

To open the template directly from you subscription click the icon below.

In this blog post I’ll guide you through the process of setting up MFA on Azure RemoteApp.

First of all, Conditional access requires Azure AD Premium (currently in preview). You can however set this up in a 30 day trial. To do that, open the Azure Portal browse to your AAD and choose the option “TRY AZURE ACTIVE DIRECTORY PREMIUM NOW”

Confirm the agreement below

It take a few minutes to setup. Click the refresh link to be able to start using it.

Shortly followed by that, you should receive a confirmation email that the organization is ready for Azure AD Premium.

Now click on Microsoft Azure RemoteApp and go to the Configure tab. For this demo, we’ll select Enabled Access Rules, have it applied to all users, and select Require multi-factor authentication.

The next time we log on to the Azure RemoteApp client with an organization account from this AAD, we are presented with the following;

This is MFA kicking in. We click “Set it up now”. And without having to leave the Azure RemoteApp client, we’re being presented the ability to provide a phone number and verification type that we would like to use for this account. In this case I choose Phone Authentication, and provide my cell number. (we obviously only have to perform these steps once).

When we click Contact me, Azure MFA will call me on the number provided to verify the correct number.

The verification process is now completed and we are ready to use MFA for Azure RemoteApp.

When proceeding the logon in the Azure RemoteApp client we’re presented with the following screen indicating that we can expect a call to our provided phone number to perform the MFA !

And after that, we’re presented with the RemoteApps assigned to us based on the Azure RemoteApp Collection.

There are some other options in conditional Access policy worth mentioning. We can for example specify to only enforce MFA when people are connecting from outside of the corporate (trusted) locations, or even block access in those cases.

By clicking the link, we’re able to configure these trusted locations, configure whether or not we want to allow app passwords and even allow users to suspend multi factor authentication from remembered devices.